Farming Out Network Security

Our last presidential campaign raised a lot of ire over the subject of outsourcing. Network security outsourcing is facing its own controversy within the security field, not over social concerns but over issues of trust.

The most frequently outsourced networked security services are the selection, installation and monitoring of the corporate firewall, virtual private networks and Internet setup and services. Managed antivirus services and Web content filtering and blocking are becoming increasingly popular. But is it safe to put these services in the hands of an outsider?

Why Do Companies Outsource?
Why do companies outsource? It’s clear now that protecting the network perimeter alone is insufficient. Isolated security products have vulnerabilities that perimeter protection fails to take into account, so the best approach involves securing critical assets, networks and information systems while implementing robust defenses against hackers, viruses and other online threats. It may be difficult or impossible to employ security staff capable of dealing with all these threats.

In many companies, network security staff have system responsibilities and activities that go beyond security. In addition, understanding and defending against the latest threats requires constant education of staff, delegation of additional tasks, and proactive monitoring, maintenance and upgrading of the firm’s network protection. This can result in an ongoing need to add security staff, which also adds to the budget for staff, related benefits and IT products.

Financial savings and staffing challenges are two of the most-cited reasons companies outsource network security. Third-party security service providers offer competent handling of routine security activities (i.e. monitoring and maintenance of hardware, software, traffic), and they can prepare the numerous reports required by government regulations. With these tasks out of the way, companies can focus their internal efforts and personnel on more critical security functions.

There are, of course, certain risks in outsourcing security functions. When you outsource, you are allowing outsiders into your network. Can you trust the firm to which you’re outsourcing? Is the provider vigilant about the background and expertise of their personnel? Is your network safe?

Many companies feel that because of compliance issues in their industry sector, it’s necessary to develop a network core competency in-house, and that outsourcing can serve to defeat this objective. Total control of security should never be ceded to an outside provider. While it may be possible to hand off management duties, most companies find that keeping control of critical functions is vital to a successful security program.

Managed Security Services
When cost and complexity seem unmanageable, a managed security service provider can provide a level of technology, training and expertise that ensures immediate and appropriate response to real threats. Gartner anticipates that during 2005 the demand for MSSP will increase by a compound annual growth rate of 31 percent, and The Yankee Group says that outsourced security services will reach $1.7 billion in 2005. Large companies such as Cisco, Symantec, Level 3 and Verisign now offer expanding MSSP practices.

In order to reach their potential, MSSPs will have to overcome the bias many companies have against letting an outsider run their security. And since no MSSP offers total reliability, companies must negotiate smart contracts that provide for insurance and compensation for damages.

Picking Your Provider
Outsourcing is a big step for a company to take, and one that is not easily reversible. If you’ve decided to outsource, the next step is choosing a reliable provider. Take the following considerations into account before you make your final decision.

Longevity. A reliable MSSP should have a proven track record of delivering quality security services over a long period of time.

Annual revenues. Check the financial stability of the MSSP. Gartner estimates that a publicly traded MSSP should have more than $10 million in annual MSSP contracts. This figure indicates a base of revenue that can support growth and enhancement of services.

State-of-the-art facilities. A reliable MSSP will have two or more security operations centers that run 24x7x365. This allows for cross monitoring, backup in the event of disaster, and constant compliance with security standards.

Management credentials. Look for MSSP management and staff with backgrounds in the industrial, military and government sectors. Check for MSSP staff education and certifications to see whether they evoke confidence, whether personnel are permanent or contracted, and whether they are vetted.

References. Providers tend to give only those references that are sure to check out well. On an on-site visit, be sure to speak to some of the MSSP’s employees. They may give you more candid information than your main contact would.

Security management processes. An MSSP should provide documented standards and policies for handing operations and threats. Additionally, the MSSP should offer a variety of attack alert notification methods that will allow you to mitigate risk in real time.

Global intelligence. To provide real-time alerts and timely recommended actions, an MSSP should have security experts who monitor and analyze data from customers around the world.

Breadth of services. Besides providing a wide variety of services, an MSSP should be able to meet security needs for a broad selection of companies in different sectors.

Real-time analysis and response. An MSSP should be able to separate false positives from real security threats by correlating, analyzing and interpreting large volumes of network security data accurately in real time.

Vendor neutrality. Personnel at an MSSP should include specialists with certification across a broad range of products from a variety of security vendors. This allows the MSSP to select best-of-breed solutions without bias.

Auditing. A reliable MSSP should have a third-party auditor who validates and certifies procedures, practices and facilities. An audit report should be readily available to customers on a regular basis and/or upon request.

Reporting. Reports should be detailed enough to help you determine the cost-effectiveness of the managed services and validate security efforts. The MSSP should be able to consolidate and analyze security log data. It must also be capable of stringent compliance reviews.

Consulting. Due to the continuous management and monitoring of the security operations, the MSSP should be capable and willing to help develop a company-wide security policy that sets access control rules for customer employees.

Contract. Is the service time-based and monolithic or can the ultimate objective be broken down into small deliverables purchased a la carte? Companies should consider whether there are economies built into the monolithic contract or whether it’s preferable to purchase small deliverables without committing to a monolithic fee that covers a large project or period of time.

Realizing ROI
If you outsource, you’ll want to make certain that the outsourcing deal offers you a proven return on investment. Realizing a concrete ROI may take time, but you can use these guidelines to assess your potential ROI.

Contract. Once again, consider the contract and whether it’s monolithic or flexible. Consider what your firm needs for adequate security and what you can afford. Is it advantageous to pay a large sum for a complete service and long-term project or pay for smaller deliverables that are achievable, sufficient and less expensive?

Consistent expertise. A service provider may show up for a sales meeting with top experts, but then deploy different personnel once the contract is signed. When that happens, a customer does not get the benefits expected. It’s important to find out the level of the service people to be assigned to your contract.

Performance measurement. Define goals, deadlines, performance benchmarks and other deliverables and track MSSP performance. Ideally, the MSSP should do tracking while the customer does spot checks.

Complaint handling. It is unrealistic to believe that there won’t be problems. Unfortunately, unless your contract clearly delineates a method for handling complaints, they won’t be handled quickly and efficiently. Monetary compensation and money-back guarantees are ways of handling complaints.

Match cultures. Is the MSSP’s culture inclusive or exclusive? The best service provider offers information on demand and makes sure that questions don’t languish unresolved. This can involve service, equipment, personnel, subsidiaries and anything that affects your security.

Travel expenses. Excessive travel and related expenses can negatively affect handling of security issues and run up related costs. It’s important to clarify prior to signing on with the MSSP how travel will be dealt with.

Assess services. Auditing should provide you with a clear picture of what types of security issues were effectively handled by the MSSP and how many individuals were involved. Monitoring these issues and related costs should provide you with an understanding of which services under contract with the MSSP are used most and which services may not be necessary and might be better handled (at a cost savings) in-house.

Bigger Isn’t Better
One of the reasons that outsourcing network security is a controversial subject is that it hasn’t proven its worth to most major companies. However, major companies are not the only fish in the sea.

Small companies with less than 100 employees and online companies that deal primarily in e-commerce and don’t have large IT staffs consider MSSP beneficial because they get state-of-the-art security without having to maintain a large technical staff and worry about security glitches and vulnerabilities.

Mid-sized companies with 100 to 1,000 employees and $100 million to $1 billion in revenue comprise the most rapidly growing segment of industry turning to MSSP. They generally don’t have large, dedicated security staffs, and they use MSSPs to offload many of the routine security functions and time-consuming reports that they just don’t have manpower to complete.

Larger companies frequently have sufficient staff assigned to network security to handle it internally. However, with new vulnerabilities and legal requirements, large firms are also looking seriously at outsourcing and whether it can be beneficial to them.

We can conclude that there isn’t a “best” model for outsourcing network security. Overall, time and experience will be the best test of whether outsourcing network security is a viable alternative for companies, and which companies will benefit the most from it.

D.E. Levine, CISSP, CFE, FBCI, CPS is a contributing editor and frequent contributor to ST&D. She has co-authored several security books and can be can be reached by e-mail at dlevine@techwriteusa.